I am still unclear what’s happening. What you are explaining should work fine, however something is clearly not working for you.
Can you provide an http://www.sscce.org <http://www.sscce.org/> ? > On Oct 29, 2024, at 9:55 AM, sh...@dstutz.com wrote: > > Just figured out if I do an API request, then "log out" of the open api > UI which only removes the authorization header/bearer token, then > requests still work I guess because I see a cookie with the JSESSIONID > as part of the incoming request, but I don't see how that should work. > Shiro is picking up the previous request's API key principal. > > If I explicitly go to the logout url of my application then attempt the > API call (via openapi UI) again, it fails with 401 as I would hope. > > Maybe this another area where I am fundamentally misunderstanding how > things work. I have noSessionCreation filter for some of these URLs > which I guess I assumed that each request would need to be authenticated > to work since there's no session, then there should be nothing > remembered between, but the Subject/principal still appears to be > "logged in" after accessing the authcBearer URL which I don't want. > > >
